Slashdot Mirror

← Back to Stories (view on slashdot.org)

The End of Signature-Based Antivirus Software?

Posted by CmdrTaco on from the one-can-only-hope dept.

nosig writes "PCMagazine is running a story around the latest AV-TEST response time and proactive detection test for the latest MS05-039 vulnerability related attacks. The test results were announced by the author to the focus-virus discussion list. What's really impresive, besides the huge difference between response times among antivirus companies, is that two products succeeded to proactively detect all 6 attacks without any signature update. "

21 of 290 comments (clear)

  1. NGSCB/Palladium by electrosoccertux · · Score: 3, Insightful

    We better find a way to secure our computers without Bill's help. Otherwise he has a major reason for why we "need" the NGSCB....even though it would most likely be used to accomplish other things.

  2. The problem isn't the software... by QuantumPion · · Score: 4, Insightful

    ...It's the users. Until the general population of computer users become smart enough to know not to open strange attachments or install malware from unscrupulous websites, hax0rs will always find a way around virus protection schemes.

    People here always clamor about how poorly Windows is designed and how it leaves people so open to attack. The truth is, even if everyone in the world used Linux, the hackers would still write viruses to exploit the same vulnerabilities stemming from the ignorant masses.

    1. Re:The problem isn't the software... by Drooling+Iguana · · Score: 1, Insightful

      Sigh... There seems to be one of these in every virus-related thread...

      Linux would not get this many viruses if it was as popular as Windows because Linux doesn't have these "same vulnerabilities". For one thing, while a default Windows install has countless "services" enabled that would allow a malicious user or program to gain access to the system, a typical Linux install would have absolutely no point of entry for these types of attacks unless the user choses to enable them.

      Other types of problems such as trojan horse attacks and spyware would also find Linux machines far more difficult to exploit as all system files are kept in directories that typical users do not have write access to. Yes, I know it's possible to enable such a system on recent versions of Windows, but many users do not do so and many programs will not work in such a configuration.

      Add this to the fact that Linux is not a monoculture, and that an exploit that opens up on one configuration will most likely not be a problem on others, and you have a system that is not and never will be as inherantly insecure as Windows.

      --
      ... I'm addicted to placebos
    2. Re:The problem isn't the software... by johnnyb · · Score: 3, Insightful

      Most of these problems are not problems specific to Windows but are specific to dumb users.

      Windows viruses usually don't propogate by modifying system files and whatnot. They do it just through the user's own account.

      If a UNIX user opened what was advertised as a pr0n screensaver, and it wound up infecting his .bashrc file and creating an SMTP worm, there is absolutely NOTHING in the UNIX architecture that would stop this.

      The problem is the culture that Windows has engendered, which says "everything should be automagic -- don't think! -- just click and the world will be yours!" It was caused by Windows, but bringing users of the same mentality to UNIX will just cause the problem to exist on UNIX, too.

      --
      Engineering and the Ultimate
    3. Re:The problem isn't the software... by saintp · · Score: 3, Insightful

      You don't know anything about users, do you? You can always get a user to something stupid, no matter what OS they're running. It's just that Windows usually makes it easier to do stupid things. Keeping the OS updated isn't even hard -- hell, you configure it once and never click anything again -- but users can't seem to do it. I don't care if everyone on the planet ran BSD or AIX or Trusted Solaris or friggin' VMS; there would still be plenty of morons who would be unable to keep their boxes patched to even remotely current levels, and even more who would happily type in their root password to get a "free web accelerator!" or to see "so cool a movie." It doesn't matter how secure an OS is if the computer has a stupid operator.

      --
      Another one bites the dust
    4. Re:The problem isn't the software... by Delphiki · · Score: 5, Insightful
      The Linux kernel might be fairly low on bugs, but the entire library of software that typically comes with it is not. If you really think that's not true, then you must not watch Linux forums that list things like critical security updates for a distribution very often.

      Your post reads like you've never thought to question any of the rhetoric associated with OSS. Have you ever heard of social engineering? How about the fact that you wouldn't need root privileges to install a keylogger on a user's account if you can get them to run a malicious program?

      Are you going to try and suggest that if we all ran Linux that an exploit for MySQL wouldn't be just as bad as SQL slammer? There are plenty of applications which are installed on the vast majority of Linux systems, like the kernel, bash, XFree86, etc.. If one of those had a major security vulnerability how is the lack of a "monoculture" going to help you?

      Just about everyone who posts something like what you did points out that most Linux users do not run under root. Guess what? That's because most of them are computer geeks like me, and I would assume you. I don't run Windows under my admin account and I don't run Linux under root. If the average user moves to Linux, they will probably end up running everything under root, because the average user doesn't want to deal with two logins and having to move from one to the other to do certain tasks. If you think somehow it will magically solve that problem because it's Linux, you're fooling yourself.

      --

      Feel free to mod me "-1 - Angry Jerk".

    5. Re:The problem isn't the software... by 99BottlesOfBeerInMyF · · Score: 4, Insightful

      The problem is the culture that Windows has engendered, which says "everything should be automagic -- don't think! -- just click and the world will be yours!"

      I call this the "OK/Cancel" problem. Users get into the mindset that if they just click OK all the time things will work. You have to click OK a dozen times a day to keep your computer working, just like adding gas to a car. After a little while they don't even pay attention to what is being asked.

      Part of the solution is simply to use better dialogue windows and part of it is to give the user better choices. I remember in Word (back in the day) I would get a dialogue box that said, "Warning, this word file contains macros that may be viruses, open it anyway? OK/Cancel" Talk about useless. What it needed was a button that said, "open the file, but don't run any macros." I know people who would have paid $500 bucks for that option. Aside from all the viruses that autorun (which are pretty much MS's fault) e-mail should never run executables when clicked without attaching a warning that says, this is a program, not a file. it may be a virus (Don't run)/(Run but don't allow access to my files of the internet)/(Run and let it access my files and the internet.)" That would stop most viruses right there. If Linux was the market leader it would have some of the same problems, but I bet someone would include that dialogue box and make all our lives easier. This is partially a problem with users, but mostly it is a problem with functionality. Users need fine grained control, good default settings, and a good user interface that lets them know what it is they are doing. I haven't seen all three of those yet, anywhere but it is very possible. The only reason it does not exist is because MS doesn't care because it has a monopoly and Apple/Linux developers don't have a problem yet and are thus not motivated to solve it.

    6. Re:The problem isn't the software... by Drooling+Iguana · · Score: 4, Insightful
      The Linux kernel might be fairly low on bugs, but the entire library of software that typically comes with it is not. If you really think that's not true, then you must not watch Linux forums that list things like critical security updates for a distribution very often.
      Those updates are for potential exploits in programs that the user may have installed (but, in the case of a typical desktop user, probably won't.) This hardly compares to the endless march of exploits that can attack the default configurations for Windows.
      Your post reads like you've never thought to question any of the rhetoric associated with OSS. Have you ever heard of social engineering? How about the fact that you wouldn't need root privileges to install a keylogger on a user's account if you can get them to run a malicious program?
      And how, pray tell, would such a malicious program get onto a Linux machine in the first place, since Linux programs are typically installed from a central repository using a tool such as apt-get or Portage, rather than from executables downloaded from random web sites, as Windows programs are?
      Are you going to try and suggest that if we all ran Linux that an exploit for MySQL wouldn't be just as bad as SQL slammer?
      And how many regular users will have MySQL installed on their systems, particularily in a configuration that allows it to be accessed remotely?
      There are plenty of applications which are installed on the vast majority of Linux systems, like the kernel, bash, XFree86, etc.. If one of those had a major security vulnerability how is the lack of a "monoculture" going to help you?
      Those programs are not remotely-accessable in their default configurations.
      Just about everyone who posts something like what you did points out that most Linux users do not run under root. Guess what? That's because most of them are computer geeks like me, and I would assume you. I don't run Windows under my admin account and I don't run Linux under root. If the average user moves to Linux, they will probably end up running everything under root, because the average user doesn't want to deal with two logins and having to move from one to the other to do certain tasks. If you think somehow it will magically solve that problem because it's Linux, you're fooling yourself.
      Except that nearly every Linux distribution strongly encourages or even outright forces the creation of a regular user account during installation, and many programs will pop up warnings when run as root.
      --
      ... I'm addicted to placebos
    7. Re:The problem isn't the software... by iminplaya · · Score: 2, Insightful

      The problem is the culture that Windows has engendered, which says "everything should be automagic -- don't think! -- just click and the world will be yours!"

      For the average joe that's the way it should be. Just like the TV, microwave, car, etc. They're not buying a Heathkit. They want a working appliance. The thing should be every bit as trustworthy and reliable and durable as a typewriter and an adding machine and an old sytle desk phone. When defects show up in these things, we usually take it to the shop, or there is a recall, or it's fixed under warranty. Why we continue to buy defective computers I'll never understand. The situation is truly unacceptable. The real danger comes up when an x86 machine with any kind of OS is put into a critical system. They have absolutely no business in such a place. BTW, the Mac is pretty much "click and go". Windows is simply trying to emulate it. With pretty nasty results I might add.

      --
      What?
    8. Re:The problem isn't the software... by njyoder · · Score: 2, Insightful

      Those updates are for potential exploits in programs that the user may have installed (but, in the case of a typical desktop user, probably won't.)

      You're joking, right? A lot of software for Linux is de facto standard and is effectively equivalent to the software installed by defaulted by windows. A good example is fetchmail, which is very commonly used for fetching pop3 email, which can and has has had exploits. It wouldn't even matter if you were using mutt or whatever other software, as the weak link (fetchmail) would allow them to compromise your account anyway.

      And spare me the rhetoric. Many windows exploits are theoretical too and they don't know if they can be practically be exploited either. *nix software is no specical exception.

      rather than from executables downloaded from random web sites, as Windows programs are?

      1. E-mail, users can and will run programs from e-mail.
      2. From random websites. If *nix were as popular as windows, there would inevitably be many websites offering software not available from a central repository.

      If the reposistory is too strict, then software authors will be forced to offer it from their own websites and to some extent they already do this. If it's too leanient, then anyone can get a trojan added to the repository, it's not like they audit every single binary added to it. hell, they don't even audit 99% of those added.

      And how many regular users will have MySQL installed on their systems, particularily in a configuration that allows it to be accessed remotely?

      You do realize that this statement can be reversed and applied in the same exact way to MS SQL, right? Most users don't run MS SQL and most aren't stupid enought oh ave it on an open port, but for those that did, it caused a lot of problems. You're ridiculously naive to assume that there aren't tons of MySQL servers whose ports are open to the public.

      Those programs are not remotely-accessable in their default configurations

      You're focusing on a few bad examples and missing the point completely. There are plenty of widely used *nix internet apps that are most definitely remotely accessible.

      Except that nearly every Linux distribution strongly encourages or even outright forces the creation of a regular user account during installation, and many programs will pop up warnings when run as root.

      And we all know how effective warnings are for end users who have tendency to just mindlessly click 'ok.' You're completely ignoring the fact that we're talking about the segment of the population that doesn't follow even the most basic security practices.

      The distro MUST allow the user to install their own software and this would just entail some boxes that the user would just click through without thinking about it. Not just that, but you don't even need root access to spread a worm/virus. You just need direct or indirect access to an internet connected program, such as e-mail. IT can spread entirely within a regular user's account.

  3. Death of? by springbox · · Score: 4, Insightful

    That's a bit extreme. If anything the signature based AV software isn't going anywhere right now. It seems like behavior analysis, which is what I thought of when I read the headline, would be a nice extra preventative measure to integrate into exisiting resident scanners. It doesn't seem like that type of technique would be very reliable if used by itself. Maybe the headline should have been: "A program that watches other programs spots a potential problem in advance!"

  4. Signature is the only way to scan on entry by m50d · · Score: 4, Insightful

    This kind of thing can only work if it's on the machines that will be running the viruses. If you want to scan everything coming in, or at your mail gateway, signature is still the way to go. There's a place for both methods, as has been the case for a long time.

    --
    I am trolling
  5. Windows Worms by hey · · Score: 1, Insightful

    Nice to see them called "Windows Worms" instead of computer viruses as usual. These are all Windows problems.

  6. Virus proliferation by QangMartoq · · Score: 5, Insightful
    It is almost amazing to me that most viruses (and other various forms of malware) continue to flourish in a computer culture where using a virus scanner is so common nowadays.

    Why is that? From personal experience, most people I know run some form of AV software, which is good. They do not however, keep it updated! Let's examine why this is.

    Average Joe buys a Dell. It comes with AV software, such as Norton or McAfee preloaded.

    The software has a finite length of time (usually 3 to 6 months) before the user must pay to continue getting updates.

    Average Joe doesn't see why they should have to pay to keep their AV software updated. ("I paid $XXX for this machine, and they want more? Heck no.")

    While that may be a valid objection, it doesn't help to stop the spread of viruses. So what is the solution?

    In my personal opinion , the solution is to make basic AV software, and any required updates, free of charge for the user. Software that fits this desription Example: Grisoft AVG Free Edition is already available.

    What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?

  7. wait a second ... by Anonymous Coward · · Score: 3, Insightful

    How about a proper security & permissions architecture and non-exploitable system & application sw? Wouldn't that be better than having to burn CPU cycles looking for this crap?

    1. Re:wait a second ... by koehn · · Score: 3, Insightful

      Just let me know if you find any reasonably popular OS available which fits that description. I could easily craft a unix worm in the form of a shell script, with instructions in the email that would trick grandma into running it, and get it running on at least half of all *nix based machines, regardless of vendor. In that script, I'd nohup a simple process which finds a port open and internet-accessible, open a listener on it, and give that listener access to the shell. Then I'd install myself in the user's .*rc file so I could run after a reboot. Profit!

      Building a secure OS (where the user can still install their own s/w) is pretty-much agreed to be nowhere near doable these days, so we "burn CPU cycles" dealing with the problems that the developers missed. Seems like an intelligent response to me.

  8. Re:Excel sheet Zip file???? by Skiron · · Score: 3, Insightful

    http://marc.theaimsgroup.com/?l=focus-virus&m=1124 89911518567&w=2

    Perhaps. But unless you are on windows, and with the additional £300 MS Office, you are not going to see a lot?

    Straight away any creditabilty to a study group issuing information in a non open standard application leaves doubt.

  9. Re:Excel sheet Zip file???? by Anonymous Coward · · Score: 2, Insightful
    Is it safe to open?

    Go ahead. It's safe.

    (You are using OpenOffice under Linux or BSD, right?)

  10. REAL Antivirus! by rcbarnes · · Score: 2, Insightful

    Honestly...

    I haven't needed signature-based AV for over a year, and I've never gotten a virus. What's my AV? POSIX. Look at the safety record of POSIX OSs. Only about 40 known viruses for Linux (yes, technically, it's not officially tested, but it does comply with the Single Unix Specification) or MacOS X (I know, it does not quite comply, and has also not been approved either), about 6 for commercial UNIXs. Almost all of these viruses were proof-of-concepts, and none have been seen in the wild (largely because the concept they proved was promptly secured).

    --
    "Fight for lost causes. You may discover they weren't."
    1. Re:REAL Antivirus! by justsomebody · · Score: 2, Insightful

      NT is POSIX compliant too, you know:)
      You did mean to say *NIX, didn't you?

      I'm avid Linux user, but I couldn't say that safety is the problem here. Install application as normal user in userland and this application is virus prone.

      Same goes for OSX. Almost all applications are d'n'd-ed to Application folder. Only installable applications are installed wit higher user. You can simply modify .app/Contents/Info.plist (or something like that, in my usual reality I hate OSX), put a bash script

      #!/bin/sh
      rm -y /
      application

      then say how secure it is.

      --
      Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
  11. Re:Data from the article by Baron+von+Leezard · · Score: 5, Insightful

    This is a meaningless test. I can write an AV program that will get 6/6 no matter what you feed it: it always returns positive. Is that actually helpful? Obviously not. The article mentions that the products that scored 6/6 have a higher false positive rate. Sounds harmless, but even the tiniest false positive rate renders a product completely unusable when the volume of scanned items is high. So what does this test actually reveal? Absolutely nothing. [BvL]